Remote MCP — HTTP/SSE transport
For server-side LLM applications, claude.ai's remote-MCP feature, IDE plugins,
or any MCP client that speaks streamable HTTP. Same 144 tools
as the stdio transport, but instead of holding platform credentials the server
passes through whatever JWT the caller sends in Authorization: Bearer ….
Endpoint
- Public URL:
https://app.proofarc.ai/mcp/ - Health check (no auth):
GET /mcp/healthz→{"status":"ok"} - Tool/resource calls:
POST /mcp/with a Bearer JWT and JSON-RPC over streamable HTTP per the MCP spec.
Getting a platform JWT
Standard platform login:
TOKEN=$(curl -s https://app.proofarc.ai/api/auth/login \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"…"}' | jq -r .token)
Tokens are valid for 30 days by default (see backend.jwtExpirationMs in the
Helm chart values).
Sanity check
# 200 — no auth required
curl https://app.proofarc.ai/mcp/healthz
# 401 — bearer required
curl -X POST https://app.proofarc.ai/mcp/ -i
# 200/202 — MCP handshake (server returns SSE/streamable JSON-RPC)
curl -X POST https://app.proofarc.ai/mcp/ \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: application/json, text/event-stream" \
-H "Content-Type: application/json" \
--data '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
How auth flows through
caller (Claude, etc.)
│ Authorization: Bearer <platform-jwt>
▼
proofarc-mcp pod (Starlette + uvicorn)
│ BearerMiddleware reads header, stashes in contextvar
▼
tool handler (e.g. list_projects)
│ PassthroughProvider.token() reads contextvar
▼
platform_client.GET /api/projects
│ Authorization: Bearer <same-platform-jwt>
▼
proofarc backend (RBAC enforced as the caller's user)
No platform credentials live in the MCP pod. RBAC is enforced server-side as the caller's user — the MCP server is a stateless protocol gateway.
Connecting from an MCP client
Any client that speaks streamable HTTP MCP. Examples:
- claude.ai remote MCP — add
https://app.proofarc.ai/mcp/as a custom server, set theAuthorization: Bearer …header in the connector config. - Reference
mcp-clientCLI:mcp-client connect https://app.proofarc.ai/mcp/ \--header "Authorization: Bearer $TOKEN" - Server-side LLM apps using the Anthropic Python SDK or similar — point the transport at the URL and inject the bearer per-request.
Failure modes
| Symptom | Likely cause |
|---|---|
401 missing_bearer | No Authorization header. Add one. |
401 missing_bearer even with header | Header isn't Bearer … (we reject Basic, etc.). |
| Platform 401 surfaced from a tool | The platform JWT expired. Re-login and retry. |
PermissionError: No Authorization bearer present | Internal bug — middleware should have rejected; file an issue. |